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ABSTRACT 



A mix network with superior privacy and robustness is 
provided. An apparatus comprising a duplicator and first and 
second operation modules is disclosed. The first and second 
operation modules are each comprised of first and second 
processors. Each processor is comprised of a partial opera- 
lion device. The duplicator preferably duplicates a vector of 
encrypted inputs, and provides first and second substantially 
similar duplicated vectors, to the first and second operation 
modules, respectively. The partial operation device of the 
first processor of the first operation module partially oper- 
ates on the first duplicated vector, then supplies the result to 
the partial operation device of the second processor of the 
first operation module which partially operates on it to 
provide a fully operated on first duplicated vector. Likewise, 
the partial operation device of the first processor of the 
second operation module partially operates on the second 
duplicated vector, then supplies the result to the partial 
operation device of the second processor of the second 
operation module which partially operates on the partially 
operates on the second duplicated vector to provide a fully 
operated on first duplicated vector. A means for comparing 
compares the fully operated on first duplicated vector with 
the fully operated on second duplicated vector. 
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FIG. 3 



10 



Rrst Blind 



200 

N 

300 

N 



2nd 



120 



90 



12 
100 



Dupllccrtor 



160^ 



Blind / 210 2nd Blind -1210 2nd Blind 



'2210 i 



-290 

Operation 



1290 



■2290 



40Q 



310 



390 



Operotton ^ 31 0 Operation 



■1390 



'23101 



-2390 



2nd Unwind /4i 0 2nd Unbiind ^ 41 0 2nd Unblind 



,2410! 



500 



490 



,,--1490 ,,-^2490 



SORTING 



510 



SORTING H sio l SORTING 



690 



1590 



,25101 



COMPARISON 



2690 
-600 



-690 



I nisI Unblind 

800L^ 



Y 



700 



12/17/2003, EAST Version: 1.4.1 



U.S. Patent Apr. 11,2000 sheet 4 of 7 

FIG. 4 





^1 






f 






Processor 


^20 



Processor 

^70 



Processor 



50 



80 



90 



FIG. 5 



' -5 



g 



1 



^ ▼ ▼ 



Permute 



26. 






r^30 



Re^-eiicrypt 



15 



35 



36 



37 



'39 



40 



12/17/2003, EAST Version: 1.4. 



U.S. Patent Apr. ll, 2000 sheet 5 of 7 6,049,613 

HG. 6 



120 



Processor k^os 
Processor --245 
Processor L285 



.210 



290 



FIG. 7 




12/17/2003, EAST Version: 1.4.1 



U.S. Patent Apr. ll, 2000 sheet 6 of 7 

FIG. 8 



290 



Partial Operatioi^ ^OS 

p325 

Partial OpetationU345 
^365 

Partial Operation ^38S 



390 



FIG. 9 



390 



Processor 

^425 



Processor 

^465 



Processor 



-405 



'445 



485 



490 



12/17/2003, EAST Version: 1.4 



U.S. Patent Apr. ll, 2000 sheet 7 of 7 



HG. 10 



690 



Processor 

^725 



Processor 

1^765 



Processor 



705 



745 



785 



800 



12/17/2003, EAST Version: 1.4.1 



6,049,613 

1 2 

METHOD AND APPARATUS FOR ations (typically decryptions) of the input items, without 

ENCRYPTING, DECRYPTING, AND revealing the relationship between the input and output 

PROVIDING PRIVACY FOR DATA VALUES values. Mix networks are particularly useful for elections. 

Prior art mix networks do not provide adequate privacy or 

BENEFIT OF PROVISIONAL APPLICATION 5 robustness in an efficient manner. The term "Privacy" is used 

FILING DATE CLAIMED herein to mean providing for example a voter with privacy 

Hic present regular patent appUcation is based at least in ^l^*^'^ ^^"^ «°*'^y providing the mix. 

part on a provisional patent applicadon filed on Jan. 17, 1997 discovering how he voted The term "Robustness" is 

by the applicant, Markus Jakobsson. title "Robust batch used herein to mean providmg the ability to make sure that 

blinding", provisional application Scr. No. 60/035,587. ^"^1 ^^^^ were correctly calculated, even if some 

entities actively cheated. Efficiency is provided by utilizing 

HELD OF THE INVENTION * amount of communication, storage, and compulation. 

_ . . . , , J I J . There are two types of schemes already known as follows: 

This invention relates to improved methods and apparatus ^ . . j-.j^^j . 

for mix networics and more particularly to networks which ,5 , ^^'^T^' "^^T 

efficiently provide privacy and robustness. nvo or more processors where an mput is processed by «^ 

*^ *^ ^ keys held by the processors, and some fixed number (set by 

BACKGROUND OF THE INVENTION protocol designer) of processors have to cooperate. The 

scheme can be robust. It only decrypts one item at a time. If 

The present invention deals with the area of encryption, it decrypts more than that, the relationship between input 

decryption, re-encryption,penmutation, and blinding of mes- ^ and output messages is known, and therefore, there is no 

sages. Encryption takes a cleartext message and produces an privacy. This first type is shown in FIG. 1. 

encrypted message. Decryption takes an encrypted message -^1^ second type are schemes as above, but where there is 

and produces its corresponding cleartext message. privacy, obtained by using permutation, but there is no 

Re-encryption takes an encrypted message and produces robustness. The second type is shown in HG. 2, by David 

another encryption of the same message. BUnding may Chaum, Syverson, et al. and Gulcu et al., as known by those 

include the operations of encryption or reencryption and skilled in the art 

permutation which is later defined. ^^.^^^^ ^^^^ ^^^^^^ ^ ^^^^ ^^^^^ 

It IS known in the prior art to take a message and turn it either privacy or robustness is given up. Likewise, there are 
into an encrypted message using a first user's public key many other applications, such as web commerce schemes, 
The first user upon receiving the encrypted message can then where both privacy and robustness is required, and a solu- 
decrypt it, to reveal the original message, using the first lion based on either of the above two approaches, 
user's secret key The first user;s public key is as the name j„ ^ ^^^^ ^^^^^j ^^^^^^ ^ Kurosawa, Sako. and 
implies, available to the pubhc so that others can send Takatani disclose a mix network for decryption that has both 
messages to the first user. However, the first user s secret key 3^ robustness, but which is not efficient, as dis- 
^ not available. The public key is associated with a one-way ^^^^^ ^ „p^^^ ^^j^^^^j anonymous channel," W. Ogata, K. 
function, I.e. once the message is encrypted it cannot be Kurosawa, K. Sako, and K. Takatani, Proceedings of Infor- 
decrypted without the secret key even though the pubhc key ^^^^^ Communications Security '97, pages 440-444. 
and the encryption algorithms are known. ^h^i, j^ethod is based on the weU-known method of cut- 
El Gamal encryption is known in the art. This encryption and-choose, as can be appreciated by a person skilled in the 
takes a message m as an input; chooses a random value "r", art. In their scheme, each processor (or server) permutes and 
and produces an outputs a-m^y*" modulo p; b-g'' modulo p. re-encrypts each message, and then permutes and 
For El Gamal decryption c=a/b'' modulo p; and the output c re-encrypts again such permuted and re-encrypted message. 
is the message m. For El Gamal re-encryption the input is Then this server is required to "open up" one of the two 
(a,b), a random value r2 is chosen, a2=a*y^ modulo p, 45 transactions. That means that it will reveal exactly how it 
b2=b*g'^ modulo p are calculated, and the output is (a2, b2), performed one of the consecutive permutations and one of 
(a2, b2) and (a, b) decrypt to the same message "m" when the consecutive re-encryptions. Which one is determined by 
aU encryption is removed. In the above y-g' modulo p is the the other servers. This process is repeated scrveral times. If 
public key and x is the secret key. The variables g, x, and p it is repeated k times then the probabiUty that a processor 
and other system parameters are picked according to meth- 53 will cheat and not be detected is H**k (V^k). For example, 
ods known to a person skilled in the art. for k-3, the chances are ^**3-y8. To gain a high degree of 
'Ilie present invention also refers to the area of permuta- robustness, a large number of repetitions is required. Each 
tion. An example of permutation is as follows. Three votes processor has to engage in the above protocol. Since cut- 
are received in the following order: *'yes", "yes", "no". The and-choose is not efficient, neither is the resulting mix 
votes are randomly permuted, that is reordered in some 55 network for decryption, 
random fashion to produce for example the following order: 

"no", "yes", "yes". The votes are the same, i.e. two "yes"es SUMMARY OF THE INVEN-HON 

and one "no", however by permuting them, which particular The present invention in some embodiments provides a 

voter voted what cannot be determined. This is only true mix network with superior privacy, robustness, and effi- 

(thal you cannot tell who voted what) as long as you don't 50 ciency. In one embodiment an apparatus comprising a dupli- 

know the permutation used. If the votes were first encrypted, cator and first and second operation modules or sections are 

then both permuted and re-encrypted then it is not possible provided. The operation modules are preferably decryption 

to determine what input item produced what output item. modules although they can in some embodiments be 

In mix networks, which are generally known, the concepts encryption, re-encryption, permutation, and/or blinding 

of encryption, decryption, and permutation are used 6S modules and/or other operations known to a person skilled 

together. A mix network lakes a vector of values as input, in the art. The first and second operation modules are each 

and outputs a permuted or reordered list of function cvalu- comprised of first and sccnnd processors. Each processor is 
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comprised of a partial operation device. The partial opera- 
tion device is preferably a partial decryption device. Each 
processor is preferably a stand alone computer such as a 
stand alone personal computer. 

The duplicator preferably duplicates a vector of encrypted 
inputs, and provides first and second substantially similar 
duplicated vectors, to the first and second operation 
modules, respectively. The first and second substantially 
similar duplicated vectors are preferably identical. The vec- 
tor of inputs could in some embodiments be a non-encrypted 
vector of inputs. The partial operation device of the first 
processor of the first operation module partially operates on 
the first duplicated vector, then supplies the result to the 
partial operation device of the second processor of the first 
operation module which partially operates on it to provide a 
fully operated on first duplicated vector. Preferably the 
partial operation is one of partial decryption. 

Likewise, the partial operation device of the first proces- 
sor of the second operation module partially operates on the 
second duplicated vector, then supplies the result to the 
partial operation device of the second processor of the 
second operation module which partially operates on the 
partially operated on second duplicated vector to provide a 
fully operated on first duplicated vector. Again the operation 
modules arc preferably decryption modules and the partial 
operation devices are preferably partial decryption devices. 

The apparatus is preferably further comprised of a means 
for comparing which compares the fiilly operated on first 
duplicated vector with the fully operated on second dupli- 
cated vector. Preferably fully operated on in this situation 
means fully decrypted. The means comparing is preferably 
comprised of first and second sorting sections. Preferably 
the fiilly operated on first and second duplicated vectors are 
both sorted by sorting sections and compared. If the sorted 
results are identical, then we can say that no processor 
cheated, no processor made a mistake, and no error was 
otherwise introduced. 

A plurality of fiirther operation modules can be provided. 
The first, second and the plurality of further operation 
modules may have any number of processors therein. 

Preferably the duplicator is preoeeded by a first blinding 
section, which preferably permutes and re-encrypts a pre- 
firsi encrypted vector of inputs to provide a first vector of 
inputs. (It could also be thought of as encrypting a first 
encrypted vector to provide a second encrypted vector). In 
some embodiments the first blinding section may not per- 
mute. In addition, between the duplicator and the operation 
layer, a second blinding layer is preferably provided which 
also permutes and re-cncryprts. The operation layer is pref- 
erably followed by a second unblinding layer, and a sorting 
layer. The second unblinding layer removes the encryption 
introduced by the second blinding layer. The sorting layer 
puts inputs in a particular order for comparison, i.e. so that 
the relative impact of permutation in the second blinding 
layer is removed. The sorting layer may be part of a means 
for comparing which would also be comprised of a com- 
parison section. The comparison section would be followed 
by a first unblinding section which removes the permutation 
and encryption introduced by the first blinding section, The 
first unblinding section would only perform first unblinding 
operations if the result from the comparison section shows 
that no one has cheated, i.e. that the fully operated on 
duplicated vectors (with or without other blinding 
operations) are substantially the same, preferably identical. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 shows a block diagram of a first prior art network; 
FIG. 2 shows a block diagram of a second prior art 
5 network; 

FIG. 3 shows a block diagram of a mix network in 
accordance with the present invention; 

FIG. 4 shows an first blinding section; 

FIG. 5 shows the inputs and outputs to a processor of the 
^° initial blinding section in FIG. 4; 

FIG. 6 shows a second blinding section; 

FIG. 7 shows a processor of the second blinding section; 

FIG. 8 shows an operation section; 
15 FIG. 9 shows a second unblinding section; and 

FIG. 10 shows a first unblinding section. 

DETAILED DESCRIPTION OF THE DRAWINGS 
20 Prior Art 

FIG. 1 shows a block diagram of a first prior art network 
3010. The first prior art network 3010 is in accordance with 
a method suggested by Pedersen as known by those skilled 

25 in the art. The first prior art network 3010 includes proces- 
sors 3020, 3022, and 3024 and verification and combination 
section 3040. The processors 3020, 3022, and 3024 include 
inputs 3012, 3014, and 3016 and outputs 3030, 3032, and 
3034 respectively. The verification & combination section 

30 3040 has inputs 3030, 3032, and 3034, and and output 3050. 
In the first prior art network 3010 an encrypted message 
E(m) is input to the three processors 3020, 3022, and 3024. 
The processors 3020, 3022, and 3024 use first, second and 
third secret keys, respectively to partially decrypt the 

35 encrypted message E(m). First, second, and third partial 
decryptions appear on the outputs 3030, 3032, and 3034 
respectively. Also appearing on each output 3030, 3032, and 
3034 may be a proof of how the encrypted message E(m) 
was partially decrypted by each processor. The partial 

40 decryptions and their corresponding proofs are input to the 
verification & combination section 3040 which verifies the 
proofs and combines the first, second, and third partial 
decryptions to form a fully decrypted message "m" at the 
output 3050. There can be any number of processors in this 

45 scheme and three are only shown for exemplary purposes. 
Also, many different public key functions can be performed, 
and not only decryption. 

FIG. 2 shows a block diagram of a second prior art 
network 4010. The second prior art network 4010 is in 

50 accordance with a method by Chaum as known by those 
skilled in the art. David Chaum introduced mix mctworks in 
1981. The prior art network 4010 includes processors 4020, 
4030, and 4040. Processor 4020 receives encrypted mes- 
sages Ei(E2(E3(mi))) and Ei(E2(E3(m2))) on its inputs 4012 

55 and 4112 respeaively. The encrypted messages m^ and mj 
were actually encrypted three times, first by encryption E3, 
then E2, and then E^. The processor 4020 does a first 
decryption to remove the encryption Ej, and performs a 
random permutation, and outputs a permutation of the 

60 quantities E2(E3(mj)) and E2(E3(m2)) on its outputs 4022 
and 4122, respectively. The processor 4030 does a second 
decryption to remove the encryption Ej, and performs a 
random permutation and outputs a permutation of the quan- 
tities E3(mj) and E^i^^ on its outputs 4032 and 4132, 

65 respectively. The processor 4040 does a third decryption to 
remove the encryption E3, and performs a random 
permutation, to produce a permutation of the fully decrypted 
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messages and mj, on Ihe outputs 4042 and 4142 respec- may be received on input data lines 2, 4, 6, and 8 

lively. In the figure, the operation is shown without permu- respectively, and the permutation section 15 may output 

tation for simplicity. Chaum's mix network 4010 is not those bits as "7", "7", "3", and "4" respectively on data 

robust. output lines 26, 27, 28, and 29. Preferably, this reordering is 

5 random, so that one set of inputs on data lines 2, 4. 6, and 

Applicant's Invention 8 may be reordered one way and another set of inputs on data 
„- tj. r ^i^n- 2' * reordered another way. These 

no. 3 shows a block diagram of a mix network 10 in operations and others of embodiments of the present inven- 

accordance with an embodiment of the present invention. ^i^^ ^jay be done in a computer or any other type of 

The mix network 10 can be thought of as having three prcxxssor 

branches corresponding to output vectors UO, 140, and 160^ ^^^^^ 20 is also comprised of a reencryption section 

Each branch performs basically the same operations (with 35 ^h, ^^^^ permutation section 15 is applied to 

vanations m permuiaaon and m encryption factors). If each (^e reencryption section 35. The vector 30, comprised of 

branch ^^^^f P^^P^;^^^^ u^" !f T u T'^u * data lines 26, 27, 28, and 29 is the output of the permutation 

vectors 590, 1590 and 2590 should be substanUally the ^^^^^^ 15 ^ reencryption section 35. The 

same, preferably identical. Each branch would then have a reencryption section 35, takes data from its inpuU and 

fully decrypted and fuUy operated on permuted hst of p^^^j^^^ ^„ ^„ go for example, if the data on 

messages (with the exception of the first unbhnding, which ^^^^ j^^^ 26 27 28 and 29 are "7" "7" "3" "4" 

is the same for aU three branches, performed in 700). One of respectively, the reencryption section 35 might outp Jt "5"! 

the differences between the pnor an FIG. 1 and the apph- .y^^ U2»^ «5»^ ^t its output lines 36, 37. 38, and 39 which 

cant's invention FIG. 3 ^ that each branch corresponding to ^^^^^^^ ^^^^^^ ^^^^ ^ ^^^^ ^^^^ ^^^^ ^^j^^ 
mpuls3012 3014, and 3016 has only a part of a decrypted ^^^^ ^^^^^ ^ the corresponding 

message and these have to be combined. In addition, FIG. 1 re-encryptions of these values may be different looking, 

has no privacy, there is only one message, and there is no Likewise, two encryptions of the same message may be 

permutauon. FIG. 1 has only robustness, and no pnvacy j^^^^^j j^^in When correctly decrypted, the coirect 

whereas the disclosed mvention has both. TTie FIG. 2 prior ^,,^^3 ^^^^^ ^e obtained.) Alternatively, the reencryp- 

art obviously differs from FIG. 3 m that the encrypted ^-^^ ^^^^^^ 35 preferably raises each element of a vector 

message E (E2(E3(m,))) is not sent to multiple branches. In ^ ^ ^^^^^ ^ ^^^^^ ^^^^1^ ^ ^1^^^^^ 

addiuon FIG 2 does not have robustness, only pnvacy the vector is 'V' on data line 26 for example the element «b" 

whereas the disclosed mvention has both. ^^^^j ^ ^^^^^^^ u^c ^^^^j^ ^^^^ 

Mix network 10 of an embodiment of the present inven- secret key of user "i" or processor "i". The secret key may 

tion includes first blinding section 12, duplication section be used for decryption, or as in this case, re -encryption or 

100, second blinding layer 200, operation layer 300, second blinding. Several keys can be used at once by each server 

unblinding layer 400, sorting layer 500, comparing section (where a server may exercise the functions of several 

600, and first unblinding section 700. processors shown, for example a server may exercise the 

Second blinding layer 200 is comprised of blinding sec- functions of processors 20, 205, 405, and 705). Some of the 

tions 210, 1210, and 2210. There can be any number of keys may have public keys and others do not. Where i is the 

blindingsectionssimilartoblindingsections210, 1210, and number of the processor, i=l for processor 20, i=2 for 

2210. Operation layer 300 is comprised of operation sec- processor 50, and i-3 for processor 80. Thus the inputs on 

tions or modules, 310, 1310, and 2310. Of course there can data lines 26, 27, 28, and 29 would each be raised to the 

be any number of such operation modules or any number of secret exponent a„ modulo p, and the results would be output 

the other sections or modules and three are used here for on output lines 36, 37, 38, and 39. 
illustration. Second unblinding layer 400 is comprised of "Modulo p" means that the clement of vector "b" is 

unblinding sections or modules 410, 1410, and 2410. Sort- divided by "p" and the remainder of this operation is the 
ing layer 500 is comprised of sorting sections 510, 1510, and ^5 output. Therefore, if the element of vector "b" is "5". c-a;-3, 

2510. Again any number of these sections can be provided p-u, then we output "b*" modulo p*'-"5^ modulo 11"-"125 

and three are used for illustration. modulo ll"-"4". There are specific ways of choosing p, 

FIG. 4 shows a first bhnding section 12. The first blinding relating to the manner of encryption as will be appreciated 

section 12 includes processors 20, 50, and 80. There could by a person skilled in the art. 

be any number of processors similar to processors 20, 50, 50 Processors 50 and 80 preferrably are each comprised of 

and 80. The processors 20, 50, and 80 and other processors permutation sections like permutation section 15 except that 

can also be referred to as servers. The input of processor 20 an independently and randomly chosen permutation is done, 

is vector 1 and the output of processor 20 and input of and reencryption sections like reencryption section 35 

processor 50 is vector 40. The output of processor 50 is except that an independently and randomly chosen reen- 
vector 70 and the input of processor 80 is vector 90. 55 cryption is done. 

FIG. 5 shows the processor 20 of first blinding section 12 FIG. 6 shows a diagram of blinding section 210 of the 

in more detail. The processor 20 is comprised of permutation second blinding layer 200. Blinding section 210 includes 

section 15 and reencryption section 35. Vector 1 is com- processors 205, 245, and 285. Blinding section 210 has an 

prised of data lines 2, 4, 6, and 8. The vector 1 is preferably input vector 120 and an output vector 290. Input vector 120 
a vector which could be comprised of any number of data 60 is applied to the input of processor 205 which outputs vector 

lines or data bits. The vector 1 is connected and applied to 225. Vector 225 is input to processor 245 which outputs 

the input of the permutation section 15 of processor 20. The vector 265. Vector 265 is input to processor 285 which 

permutation section 15 has an output 30 which is comprised outputs vector 290. The blinding section or module 210 can 

of data lines 26, 27, 28, and 29. Tlie permutation section 15 include any number of processors, like processors 205, 245, 
preferably outputs data in a random order which may or may 65 and 285, and three are shown only as an example. However, 

not be a different order from the order that the data was a fixed number of processors such as processor 205, 245, and 

received. For example, the data values "3", "7", "7", "4" 285 are preferably set by a protocol designer or a computer 
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programmer before processing operations. Vectors 120,225, 2490, 590, 1590, 2590 are saved by the respective proces- 

265, and 290 all contain four data lines as in FIG. 5, however sors. If the vectors 590, 1590, and 2590 are not all identical 

there can be as many data lines as necessary. then the following is performed: all processors reveal all 

FIG. 7 shows a diagram of processor 205. Processor 205 secret permutations and re-encryption keys used in second 

includes permutation section 215 and reencryption section 5 blinding layer 200 and each processor proves that the correct 

220, Input vector 120 is input to permutation section 215. operation was performed in iu operation module in opera- 

pcrmutcd and output as output vector 217. Vector 217 is tion layer 300, and that the correct unbUnding was done in 

input to reencryption section 220, where it is re-encrypted as unblinding section in second unblinding layer 400. There 

previously described and output as vector 225 Processors ^ ^ ^j^e variety of available proofs to be employed for this 

245 and 285 function similarly to processor 205 and each ^ appreciated by a person skilled in the art. 

has a permutation section and a reencryption section, bach . , /• . r r- 

processor 205, 245. and 285 preferably employs the same t° ^""^ ^ '^^ ""P"^ '° ^ 

algorithms for permutation and rencncryption in the pre- section such as pennutation^ction 15 are x„ x, X3. and x, 

ferred implementation of the present invention. The permu- f "'^ '^^^ '""f^ ^' ^' ^ ^"f « respectively, and the outputs 

tation is random, with each processor, such as processor 205. „ permutaUon secUon 15 on output hnes 26, 27, 28, and 

245, and 285. choosing a new and independent random " 25. y,. y„ y3 and y, respectively then for a parua^ proof 

permutation for each time, unless specifically specified to °f «."ectness the quantity Xprod-x/x^-Xj-x, modulo p; 

use the same permutation several Umes. (This is true for 'l"^'""y. ^P'°t^;^C^O^'"^ first computed, 

permutation section 15 as well). The reencryption is pref- " f determined whether Yprod-funcUonpCprod) by a 

^ably done according to the same algorithm for each ,„ method known to a person skilled in the art. Thts aUows us 

processor, such as 205. 245, and 285. but with independently '° P'""" P^°P'"y °^ ""fP"' \y^' '^f. ^"^ 

and randomly chosen keys for reencryption. '"^P^^ '° '^^ ""P"' '^y "3' without revealmg what 

^ . . , . permutation was used. 

The permutation sections such as permutation section 215 „ , ^ „ , 

preferably function similar to permutation section 15 of FIG. Similarly, the product PI of aU elements of mput vectors 

5 as previously described. The reencryption section 220 may „ ^^O, 290 390, and 490 can be determmed 

raise each input to a power similar to "a, modulo p" and compared to the product P2 of aU 

previously discussed in reference to re-encryption section 80 as vectors 290, 390. 490, and 590 m order to 

of the processor 20 in FIG. 5. P^^^^"™ ^^^^^ P^^^^ P^^^ °f correctness. 

The operation sections or modules, 310, 1310, and 2310 Processor is found to not have acted correctly then 

preferably perform an operation, which is preferably decryp- 30 processor is a cheater. AU cbeatmg processors are 

tion. The operation can also be re-encryption, encryption. excluded, and replaced by other processors after which we 

permutation, or blinding or another related operation as will ^^^^ "^'^^ ^^e same input vector 1 as before and all proces- 

be appreciated by a person skilled in the art. The processors ^^^^ P^'^'^ ^^eir random permutations and keys onwards in an 

in the operation modules such as for example operation independent manner from before. 

module 310, may prove partial correctness of the output 35 The order of the permutation section 15 and reencryption 

vector 390. If any proof fails then this processor is declared section 35, or the order of any other permutation and 

a cheater, and is excluded, asdecribed below, after which the reencryption operations could be reversed so that data is 

protocol proceeds as also decribed below. A proof of partial reencrypted first and permuted second or vice versa, 

correctness in my preferred embodiment is a proof that the Each processor, such as processor 205, 245, and 285 may 

product of all the input vectors in FIG. 8, i.e. vectors 290, 40 preferably be computers which are physically located in 

325. and 365 correspond to the product of the output vectors separate geographic locations and/or run different operating 

in FIG. 8, i.e. veaors 325, 365, and 390 in the way that is systems. However, some processors may be combined in a 

intended. Here what is intended corresponds to what the single server, such as processors 20, 205, 305, 405, and 705. 

operation is and may relate to a public key associated with But preferably there is a correspondence i.e. if one processor 

the operation to be performed. There is a variety of available 45 performs a particular blinding, or encryption, it is preferred 

proofs that can be employed as will be appreciated by a that the same processor perform the corresponding 

person skilled in the art. unblinding, if desired to do so in the protocol For example, 

The second unblinding layer 400 preferably decrypts the processors 20 and 705 may be the same, so that a first 

encryption caused by second blinding layer 200. However blinding operation in first blinding section 12 is done and 

the second unblinding layer 400 does not in this embodiment 50 undone by the same processor. 

use permutation (although it could in another embodiment). This mix network scheme is particularly useful for 

The Sorting layer 500 preferably puts elements of each encrypting the results of elections providing that a majority 

vector in an order so that they can be compared with one of all processors are honest. Also, proactive methods for 

another as will be appreciated by one skilled in the art. The sharing the secret used in the operation can be applied, as 

sorting sections 510, 1510, and 2510 take vector inputs 490, 55 understood by anyone skilled in the art. 

1490, and 2490 and put the inputs in an order where they can In operation of the embodiment of FIG. 3 the following 

be compared. The comparison seaion 600 compares the occurs. An input vector 1 (which is preferably an encrypted 

vectors 590, 1590, and 2590 to see if they are substantially input vector) which is comprised of multiple data lines 2, 4, 

the same, preferably identical. If they are, one of the three 6, and 8 is input to the first blinding section 12 and 

vectors (since they are the same it doesn't matter which) is so simultaneously to its permutation section 15 shown in FIG. 

output as vector 690 and sent to the first unblinding section 5. The input vector 1 is randomly permuted and an output 

700, which decrypts the encryption provided by first blind- vector is produced at data lines 26, 27, 28, and 29 of output 

ing section 12. The unblinding section 700 is only used if all vector 30. The vector 30 is input to re-encryption section 35, 

the vectors 590, 1590, and 2590 arc substantially the same, where it is encrypted and the result is output as vector 40 

preferably identical 65 comprised of data lines 36, 37, 38, and 39. Vector 40 is then 

All the input and output vectors such as vectors, 1, 90, input to processor 50 where i! is permuted and re-encrypted 

120, 140, 160, 290, 1290, 2290, 390, 1390, 2390, 490, 1490, in a manner similar to that shown in FIG. 5. The resulting 
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vector 70 is then input to processor 80 where it too is 
permuted and re-encrypted in a manner similar to that shown 
in FIG. 5. 

'Ilie resulting vector 90 is then input to duplicator 100, 
where it is duplicated into first, second, and third duplicated 
vectors 120, 140, and 160. Any number of further duplicated 
vectors can be provided. All three duplicated vectors are 
subject to similar operations with the exception of the 
particular mathematical factors used. The first duplicated 
vector 120 will be referred to for illustration. 

Duplicated vector 120 is input to the blinding section 210 
of the second blinding layer 200. As shown in FIGS. 6 and 
7, the first duplicated vector 120 is input to the processor 
205. The first duplicated vector 120 is permuted and 
re-encrypted by permutation section 215 and re-encryption 
section 220 respectively. A resulting vector 225 is produced 
which is input to processor 245, where permutation and 
re-encryption similar to that shown in FIG. 7 is done. A 
resulting vector 265 is produced which is input to processor 
285, where permutation and re-encryption similar to that 
shown in FIG. 7 is again done. 

A resulting vector 290 from the blinding section 210 of 
the second blinding layer 200 is produced. Likewise a 
resulting vector 1290 and 2290 for the blinding sections 
1210 and 2210 is produced for the second and third dupli- 
cated vectors. 

Concerning the first duplicated vector its resulting vector 
290 is then applied to the operation module 310. The 
operation module 310, shown in FIG. 8, subjects vector 290 
to three sequential operations in processors 305, 345, and 
385, each of which contains a partial operation device. 
Preferably partial decryption is performed. Preferably a 
vector 390 is produced which is a fully decrypted vector, at 
least as to the encryption that was present regarding vector 
1. (The encryption introduced by first blinding section 12 
and second blinding section 210 is still present). Similarly 
concerning the second and third duplicated vectors, vectors 
1390, and 2390 are preferably produced which are fully 
decrypted duplicated vectors. 

The vector 390 is then applied to unblinding section 410 
which removes the "extra" encryption put in by blinding 
section 210. The purpose of this extra encryption along with 
the permutations employed is to implement robustness by 
making any attack or error noticed. Thus, if some processors 
should not perform the expected operations in blinding layer 
200, operation layer 300, and unblinding layer 400, this will 
be noticed. If blinding layer 200 and unblinding layer 400 
were not used then it may under some circumstances be 
possible for a cheating processor to perform an operation 
different from operation 300, resulting in an incorrect 
output, without this being noticed. 

likewise the vectors 1390 and 2390 are applied to 
unblinding sections 1410 and 2410 to remove the "extra" 
encryption put in by blinding sections 1210 and 2210. 

These unblindings may all be done in parallel. To produce 
a result as if produced by a parallel compute, the final 
outputs of the unblinding operations that are performed first 
may be committed to and later presented in full, once all 
unblinding modules have finished their unblinding tasks. 
This can be done using a variety of methods, as a person 
skilled in the art will appreciate. This is done in our preferred 
implementation. 

The vector 490 is then output to sorting section 510 where 
it is sorted so that is can be compared to the vectors 1490 and 
2490 from the second and third duplicated branches, which 
are sorted by sorting sections 1510 and 2510 respectively. 
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Finally, the comparison section 600 compares the vectors 
590, 1590 and 2590 to determine if they are substantially the 
same, preferably identical. If they are, one of them is output 
as vector 690 (doesn't matter which) as an input to unblind- 
ing section 700. Unblinding section 700 decrypts the "extra" 
encryption provided by first blinding section 12. This was 
needed so that if it was found that some processors cheated, 
no output will be produced (as only an encryption of this will 
be available). This is important in order to hide partial results 
from cheating processors because we only want to produce 
an output if it will be correct. Example: if the first out of 
three votes are correctly decrypted and the second and third 
are replaced by phony votes, then oulpulting such incorrect 
result would reveal the first vote. 

I claim: 

1. An apparatus comprising: 

a duplicator for duplicating a first vector of encrypted 
inputs; 

a first operation module comprised of a first and a second 
processor, the first and second processors of the first 
operation module each comprised of a partial operation 
device; 

a second operation module comprised of a first and a 
second processor, the first and second processors of the 
second operation module each comprised of a partial 
operation device; 

wherein the duplicator duplicates the first vector of 
encrypted inputs to provide first and second duplicated 
vectors, 

wherein the first duplicated vector is supplied to and 
operated on by the first operation module by supplying 
the first duplicated vector to the first processor of the 
first operation module whose partial operation device 
partially operates on the first duplicated vector, and 
then by supplying the partially operated on first dupU- 
cated vector to the second processor of the first opera- 
tion module whose partial operation device partially 
operates on the already partially operated on first 
duplicated vector to form a fully operated on first 
duplicated vector; 

wherein the second duplicated vector is supplied to and 
operated on by the second operation module by sup- 
plying the second duplicated vector to the first proces- 
sor of the second operation module whose partial 
operation device partially operates on the first dupli- 
cated vector, and then by supplying the partially oper- 
ated on first duplicated vector to the second processor 
of the second operation module whose partial operation 
device partially operates on the already partially oper- 
ated on second duplicated vector to form a fully oper- 
ated on second duplicated vector; 

wherein the apparatus is further comprised of a means for 
comparing which compares the fully operated on first 
duplicated vector with the fully operated on second 
duplicated vector; 

and wherein the first vector, the first and second dupli- 
cated vectors, the partially operated on first and second 
duplicated vectors, and the fully operated on first and 
second duplicated vectors each are comprised of one or 
more data values on one or more data lines. 

2. The apparatus of claim 1 and further comprising: 

a plurality of further operation modules each comprised of 
a plurality of further processors, the plurality of further 
processors each comprised of a partial operation 
device; 

wherein the duplicator duplicates the vector of encrypted 
inputs to provide a plurality of further substantially 
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similar duplicated vectors to the plurality of further 
operation modules; 

wherein each of the plurality of further duplicated vectors 
is supplied to and operated on by one of the plurality of 
further operation modules; 5 

wherein each of the plurality of further duplicated vectors 
is supplied to and operated on by one of the plurality of 
further operation modules by supplying each of the 
plurality of further duplicated vectors to a chain of the 
plurality of processors and iheir corresponding partial 
operation devices within a respective operation 
module, to form a pluraHty of further fully operated on 
duplicated vectors; 

the means for comparing compares the plurality of further ^ ^ 
fully operated on duplicated vectors with one another 

and wherein the plurality of further substantially similar 
duplicated vectors, and the plurality of further fully 
operated on duplicated vectors are each comprised of 



one or more data values on one or more data lines. 
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3. The apparatus of claim 1 wherein: 
the first and second operation modules are decryption 

modules; and 

the partial operation devices are partial decryption 
devices. 

4. The apparatus of claim 2 wherein: 

the first, second, and plurafily of further operation mod- 
ules are decryption modules; and 

the partial operation devices arc partial decryption 
devices. 

5. The apparatus of claim 1 wherein: 

the first and second operation modules are encryption 
modules; and 

the partial operation devices are partial encryption 35 
devices, 

6. The apparatus of claim 2 wherein: 

the first, second, and plurality of further operation mod- 
ules are encryption modules; and 

the partial operation devices are partial encryption 
devices. 

7. The apparatus of claim 1 wherein: 

the first and second operation modules are re-encryption 
modules; and 

45 

the partial operation devices are partial re-encryption 
devices. 

8. The apparatus of claim 2 wherein: 

the first, second, and plurality of further operation mod- 
ules arc rc-cncryption modules; and 50 

the partial operation devices are partial re-encryption 
devices. 

9. The apparatus of claim 1 wherein; 

the first and second operation modules are permutation 
modules; and 

the partial operation devices are permutation devices. 

10. The apparatus of claim 2 wherein: 
the first, second, and pluraHty of further operation mod- 
ules are permutation modules; and 
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the partial operation devices are partial permutation 
devices. 

11. The apparatus of claim 1 further comprising: 

a first bUnding layer comprised of a first blinding section 
which receives a pre-first encrypted vector of inputs, 
performs a bUnding operation on the pre-first vector of 
inputs and outputs the first vector of encrypted inputs to 
the duplicator; 

and wherein the pre-fiist encrypted vector of inputs is 
comprised of one or more data values on one or more 
data lines. 

12. The apparatus of claim 11 wherein: 

the first blinding section of the first blinding layer per- 
mutes and re-encrypts the pre-first encrypted vector of 
inputs. 

13. The apparatus of claim 11 further comprising: 

a first unblinding layer comprised of a first unblinding 
section which performs an unblinding operation on the 
fiilly operated on first and second duplicated vectors. 

14. The apparatus of claim 13 and wherein: 

the first unblinding section of the first unblinding layer 
performs the unblinding operation only if the means for 
comparing has determined that the first and second 
fully operated on duplicated vectors are the same. 

15. The apparatus of claim 11 further comprising: 

a second blinding layer comprised of first and second 
blinding sections; 

wherein the first duplicated vector is suppUed to the first 
blinding section of the second blmding layer; 

the second duplicated vector is supphed to the second 
blinding section of the second blinding layer; 

and the first and second blinding sections of the second 
blinding layer each perform a bhnding operation on the 
first and second duplicated vectors respectively and 
then output the result to the first and second operation 
modules, respectively, 

and wherein supplying the first and second duplicated 
vectors to the first and second operation modules, 
respectively is defined as supplying first and second 
duplicated vectors which have been first blinded by the 
first and second blinding sections of the second blind- 
ing layer, respectively, to the first and second operation 
modules. 

16. The apparatus of claim 15 further comprising: 

a second unblinding layer comprised of first and second 

unblinding sections; 
wherein the first and second unblinding sections perform 

unblinding operations on the fully operated on first and 

second duplicated vectors, respectively, 

17. The apparatus of claim 1 wherein: 

the means for comparing includes first and second sorting 
sections which sort the first and second fully operated 
on duplicated vectors respectively, so that they can be 
compared. 
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